Kaspersky Lab publishes the article “Attacks on banks”

23 Oct 2008Virus News

Kaspersky Lab, a leading developer of secure content management solutions, announces the publication of the article “Attacks on banks” by Roel Schouwenberg, a virus analyst for Kaspersky Lab. The article provides an overview of the methods currently used by cyber criminals to attack financial institutions.

Statistics quoted in the report show that although the percentage of financial malware detected each month is dropping, the number of malicious programs which target financial institutions is increasing. The majority of these programs tend to be delivered via the Internet, as this makes them less likely to attract the attention of security professionals than if delivered via email. Also, malware which infects victim systems via the web are hosted on web servers; the code can be modified before it is delivered to the victim machine or system, which hinders analysis and detection.

The increase in financial malware is the result of the increasing criminalization of cyberspace, as the use of malware to make money continues to grow. In addition to stealing funds, cyber criminals need ways to liquidize their virtual assets.

Phishing. A never ending stream of phishing emails and phishing construction kits clearly demonstrates that phishing is still a very effective way of getting users to give away their personal information. Additionally, cyber criminals are constantly devising ever more ingenious social engineering schemes in order to trick the more security-savvy users.

Redirecting traffic. Technical approaches include modifying the Windows host file or DNS server settings to redirect traffic to fake sites, or placing a Trojan on the victim machine. Traffic may be redirected from an HTTPS site to an HTTP (i.e. potentially insecure) site. However, redirected traffic will not be processed in real time; when cyber criminals do this (e.g. in order to prevent a victim from contacting his/ her bank and stopping a transaction) a Man-in-the-Middle attack is used.

Man-in-the-Middle. A MitM attack uses a malicious server to intercept all traffic between the client and the server (i.e. the customer and the financial organization). Sophisticated malware which uses such attacks often also makes use of HTML injection.

Solutions. Single-factor authentication can be bypassed extremely easily by cyber criminals, so it is encouraging that many of the banks which have not implemented two-factor authentication are planning to do so. However, there are several other methods which can be used to enhance modern protection mechanisms or improve them.